Posted on March 12, 2017 as Overthewire.
Today we're going to attack another reverse engineering challenge, this time from the Behemoth series.
This wargame deals with a lot of regular vulnerabilities found commonly 'out
in the wild'. While the game makes no attempts at emulating a real environment
it will teach you how to exploit several of the most common coding mistakes
including buffer overflows, race conditions and privilege escalation.
Sounds fun, so let's jump straight into the unknown!
This time, we are given only a binary file, so no more viewing the source code.
We have to somehow get the password which may result in spawning a shell. Our best friend - gdb can help us with getting some better information about how we should approach this challenge.
This code looks really interesting. Most of the functions are known from C, but what is memfrob?
Let's take a look at the man pages description.
The memfrob() function encrypts the first n bytes of the memory area s
by exclusive-ORing each character with the number 42. The effect can
be reversed by using memfrob() on the encrypted memory area.
Note that this function is not a proper encryption routine as the XOR
constant is fixed, and is suitable only for hiding strings.
That looks like a good thing to exploit, but I have another idea. Firstly, we will have to set a breakpoint at the strcmp function.
Now let's take a look at the 0x0804862f address. This line copies the value from %eax to the location in memory that %esp points to. Maybe we can view what %eax is storing inside?
Wow, that's the password we have entered just seconds ago! So maybe %esp will be our desired password?
This string at the end looks quite suspicious, maybe we should check that?
It was the password!
I'm definitely going to continue Behemoth wargame, as from the beginning challenges are really fun and intriguing. Thanks OverTheWire!